public override string ResetPassword(string username, string passwordAnswer)
{
if (!EnablePasswordReset)
{
throw new NotSupportedException(SR.GetString(SR.Not_configured_to_support_password_resets));
}
SecUtility.CheckParameter(ref username, true, true, true, 256, "username");
string salt;
int passwordFormat;
string passwdFromDB;
int status;
int failedPasswordAttemptCount;
int failedPasswordAnswerAttemptCount;
bool isApproved;
DateTime lastLoginDate, lastActivityDate;
GetPasswordWithFormat(username, false, out status, out passwdFromDB, out passwordFormat, out salt, out failedPasswordAttemptCount,
out failedPasswordAnswerAttemptCount, out isApproved, out lastLoginDate, out lastActivityDate);
if (status != 0)
{
if (IsStatusDueToBadPassword(status))
{
throw new MembershipPasswordException(SR.GetExceptionText(status));
}
throw new ProviderException(SR.GetExceptionText(status));
}
string encodedPasswordAnswer;
if (passwordAnswer != null)
{
passwordAnswer = passwordAnswer.Trim();
}
if (!string.IsNullOrEmpty(passwordAnswer))
encodedPasswordAnswer = EncodePassword(passwordAnswer.ToLower(CultureInfo.InvariantCulture), passwordFormat, salt);
else
encodedPasswordAnswer = passwordAnswer;
SecUtility.CheckParameter(ref encodedPasswordAnswer, RequiresQuestionAndAnswer, RequiresQuestionAndAnswer, false, 128, "passwordAnswer");
string newPassword = GeneratePassword();
ValidatePasswordEventArgs e = new ValidatePasswordEventArgs(username, newPassword, false);
OnValidatingPassword(e);
if (e.Cancel)
{
if (e.FailureInformation != null)
{
throw e.FailureInformation;
}
throw new ProviderException(SR.GetString(SR.Membership_Custom_Password_Validation_Failure));
}
var dbo = new UserRepository(this.Name, _sqlConnectionString, _commandTimeout);
var newpassword = EncodePassword(newPassword, passwordFormat, salt);
if (dbo.ResetPasswordExecute(username, newpassword, passwordFormat, salt, lastActivityDate))
{
dbo.PasswordAttemptCountClear(username);
}
else
{
dbo.FailedPasswordAttemptIncrement(username);
var user = dbo.GetUser(username);
if (user.FailedPasswordAnswerAttemptCount >= MaxInvalidPasswordAttempts)
{
dbo.LockAccount(username);
}
}
return newpassword;
}
private bool CheckPassword(string username, string password, bool updateLastLoginActivityDate, bool failIfNotApproved, out string salt, out int passwordFormat)
{
string passwdFromDB;
int status;
int failedPasswordAttemptCount;
int failedPasswordAnswerAttemptCount;
bool isApproved;
DateTime lastLoginDate, lastActivityDate;
GetPasswordWithFormat(username, updateLastLoginActivityDate, out status, out passwdFromDB, out passwordFormat, out salt, out failedPasswordAttemptCount,
out failedPasswordAnswerAttemptCount, out isApproved, out lastLoginDate, out lastActivityDate);
if (status != 0)
return false;
if (!isApproved && failIfNotApproved)
return false;
string encodedPasswd = EncodePassword(password, passwordFormat, salt);
bool isPasswordCorrect = passwdFromDB.Equals(encodedPasswd);
if (isPasswordCorrect && failedPasswordAttemptCount == 0 && failedPasswordAnswerAttemptCount == 0)
return true;
var dbo = new UserRepository(this.Name, _sqlConnectionString, _commandTimeout);
var user = dbo.GetUser(username);
// set out parameters
passwordFormat = (int)user.PasswordFormat;
salt = user.Salt;
if (user.IsLockedOut)
return false;
DateTime dtNow = DateTime.UtcNow;
if (!isPasswordCorrect)
{
user.FailedPasswordAnswerAttemptWindowStart = user.FailedPasswordAnswerAttemptWindowStart ?? DateTime.UtcNow.AddYears(-2);
if (dtNow > user.FailedPasswordAnswerAttemptWindowStart.Value.AddMinutes(_passwordAttemptWindow))
{
dbo.PasswordAttemptCountClear(username);
}
dbo.FailedPasswordAttemptIncrement(username);
if (user.FailedPasswordAnswerAttemptCount.GetValueOrDefault() >= failedPasswordAnswerAttemptCount)
{
dbo.LockAccount(username);
}
}
else
{
if (user.FailedPasswordAnswerAttemptCount.GetValueOrDefault() > 0 || user.FailedPasswordAnswerAttemptCount.GetValueOrDefault() > 0)
{
dbo.UnlockAccount(username);
}
}
dbo.UpdateLastActivityDate(username);
return isPasswordCorrect;
}